3.1 An Information Theoretic Model of Cognitive Hacking
Information theory has been used to analyze the value of information in horse races and in optimal portfolio strategies for the stock market [22]. We have begun to investigate the applicability of this analysis to cognitive hacking. So far we have considered the simplest case, that of a horse race with two horses. But the analysis can be easily extended to the case of the stock market.
Sophisticated hackers can use information theoretic models of a system to define a gain function and conduct a sensitivity analysis of its parameters. The idea is to identify and target the most sensitive variables of the system, since even slight alterations of their value may influence people’s behavior. For example, specific information on the health of a company might help stock brokers predict fluctuations in the value of its shares. A cognitive hacker manipulates the victim’s perception of the likelihood of winning a high payoff in a game. Once the victim has decided to play, the cognitive hacker influences which strategy the victim chooses.
3.1.1 A Horse Race
Here is a simple model illustrating this kind of exploit. A horse race is a system defined by the following elements [22]
• There are m horses running in a race
If we consider a sequence of n independent races, it can be shown that the average rate of the wealth gained at each race is given by
i
Where bi is the percentage of the available wealth invested on horse i at each race. So the betting strategy that maximizes the total wealth gained is obtained by solving the following optimization problem
subject to the constraint that the bi’s add up to 1. It can be shown that this solution turns out to be simply b=p (proportional betting) and so ( , ) log .
Thus, a hacker can predict the strategy of a systematic gambler and make an attack with the goal of deluding the gambler on his/her future gains. For example, a hacker might lure an indecisive gambler to invest money on false prospects. In this case it would be useful to understand how sensitive the function W is to p and o and tamper with the data in order to convince a gambler that it is worth playing (because W appears illusionary larger than it actually is).
To study the sensitivity of W to its domain variables we consider the partial derivatives of W with respect to pi and oi and see where they assume the highest values. This gives us information on how steep the function W is on subsets of its domain.
If we consider the special case of races involving only two horses (m=2), then we have
2
Thus, if we fix one of the variables then we can conduct a graphic analysis of those functions with a 3D plot.
Case 1. o1 is constant.
(
p,3,o2)
W
This is the doubling rate function. The most sensitive parameter to let W increase iso2. Increasing this variable W grows at a fast rate for low values of p and grows with a smaller rate for higher values of p
3.1.2 Applying the Horse Race Example to the Internet
Let’s take into consideration the Mark Jacob case discussed earlier. In this example the two horses are: horse 1, Emulex stock goes up; and horse 2, Emulex stock goes down.
First the cognitive hacker makes the victim want to play the game by making the victim think that he can make a large profit through Emulex stock transactions. This is done by spreading misinformation about Emulex, whether positive or negative, but news that, if true would likely cause the stock’s value to either sharply increase, or decrease, respectively. Positive misinformation might be the news that Emulex had just been granted a patent that could lead to a cure for AIDS. Negative misinformation might be that Emulex was being investigated by the Securities and Exchange Commission (SEC) and that the company was forced to restate 1998 and 1999 earnings. This fraudulent negative information was in fact posted by Jakob.
p
o
23.2 Theories of the Firm and Cognitive Hacking
Much attention in economics has been devoted to theories of the market. The economic actor has been modeled as enjoying perfect, costless information. Such analyses, however, are not adequate to explain the operation of firms. Theories of the firm provide a complementary economic analysis taking into account transaction and organizing costs, hierarchies, and other factors left out of idealized market models. It has been argued that information technology will transform the firm, such that “. . . the fundamental building blocks of the new economy will one day be ‘virtual firms’, ever-changing networks of subcontractors and freelancers, managed by a core of people with a good idea” [33].
Others argue that more efficient information flows not only lower transaction costs, thereby encouraging more outsourcing, but also lower organization costs, thereby encouraging the growth of larger companies [2]. More efficient information flow implies a more standardized, automated processing of information, which is susceptible to cognitive attack. In this light Libicki’s characterization of semantic attacks in terms of misinformation being inserted into interactions among intelligent software agents [60]
can be applied to misinformation’s potential to disrupt increasingly automated business processes, as well.
3.3 Digital Government and Cognitive Hacking
The National Center for Digital Government is exploring issues related to the transition from traditional person-to-person provision of government services to the provision of such services over the Internet. As excerpted from the Center’s mission statement:
Government has entered a period of deep transformation heralded by rapid developments in information technologies. The promise of digital government lies in the potential of the Internet to connect government actors and the public in entirely new ways. The outcomes of fundamentally new modes of coordination, control, and communication in government offer great benefits and equally great peril [71].
A digital government workshop held in 2003 [72], focused on five scenarios for future authentication policies with respect to digital identity:
• Adoption of a single national identifier
• Sets of attributes
• Business as usual, i.e., continuing growth of the use of ad-hoc identifiers
• Ubiquitous anonymity
• Ubiquitous identify theft.
The underlying technologies considered for authentication were: biometrics:
cryptography, with a focus on digital signatures; secure processing/computation; and reputation systems.
Most of the discussion at the workshop focused on issues related to authentication of users of digital government, but, as the scenario related to ubiquitous identity theft implies, there was also consideration of problems related to misinformation, including cognitive hacking.
In the face to face interaction with other people associated with traditional provision of government services, there is normally some context in which to evaluate the reliability of information being conveyed. As we have seen, this type of evaluation cannot be directly transferred to digital government. The Internet’s open nature makes it an ideal arena for dissemination of misinformation. What happens if a user makes a decision based on information found on the Web that turns out to be misinformation, even if the information appears to come from a government website? In reality, the information might be coming from a spoofed version of a government website. Furthermore, the insider threat is a serious concern for digital government.